From: Vladimir Davydov <vdavy...@parallels.com> It is possible to disable oom killer inside a memory cgroup by writing 1 to memory.oom_control. If a process inside such a cgroup hits the memory limit and is unable to reclaim anything, it will wait until more memory becomes available.
This operation shouldn't be allowed inside container, because (a) disabling oom in a cgroup disables it in all its ascendants and (b) it is impossible to stop a container if there is a process waiting for memory instead of invoking oom killer (freezer will never be able to freeze it). Signed-off-by: Vladimir Davydov <vdavy...@parallels.com> Reviewed-by: Kirill Tkhai <ktk...@odin.com> (cherry picked from vz8 commit 98e3cf14f11d2896d1f22ff2952a90cea2f458bc) Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com> --- mm/memcontrol.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mm/memcontrol.c b/mm/memcontrol.c index ae6de65..aa75ae2 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -52,6 +52,7 @@ #include <linux/sort.h> #include <linux/fs.h> #include <linux/seq_file.h> +#include <linux/ve_proto.h> #include <linux/vmpressure.h> #include <linux/mm_inline.h> #include <linux/swap_cgroup.h> @@ -4509,6 +4510,9 @@ static int mem_cgroup_oom_control_write(struct cgroup_subsys_state *css, if (mem_cgroup_is_root(memcg) || !((val == 0) || (val == 1))) return -EINVAL; + if (!ve_is_super(get_exec_env()) && val != 0) + return -EACCES; + memcg->oom_kill_disable = val; if (!val) memcg_oom_recover(memcg); -- 1.8.3.1 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel